Some worry about fallout as e-mail giants develop new systems

Below:

Next story in Security

NEW YORK — With a simple adjustment in your e-mail software, you can pretend to be anyone. You can send messages marked as coming from BillGates@microsoft.com.

The trick, known as spoofing, is a popular method for spammers to hide their tracks — you'd blame Microsoft Corp. chairman Bill Gates and not the actual perpetrator of junk mail.

To close that loophole, Microsoft and Yahoo! Inc. are each developing systems aimed at authenticating senders of e-mail. America Online Inc. is testing a third.

"Having e-mail come in, and not really being able to identify where it comes from, this is a huge security hole," Gates said this week in announcing specifications for his proposal.

Many software engineers are concerned, however, that these systems could end up causing more problems than they solve.

Microsoft's proposal, known as Caller ID for E-mail, calls for Internet service providers to submit lists of unique numeric addresses for their mail servers. On the receiving end, software would check a database to verify that a message said to come from an e-mail provider actually originated at one of its registered machines. (MSNBC is a Microsoft - NBC joint venture.)

In January, AOL began testing a similar system called Sender Policy Framework, or SPF, which checks a different part of the message.

Yahoo's proposed solution is a different animal. It would use encryption to digitally sign messages. If the sender or message content is altered, the signature gets rejected. Yahoo announced its proposal, DomainKeys, in December but has yet to make details public.

The big three e-mail providers are not alone in trying to tackle address spoofing. Leading e-mail software vendor Sendmail Inc., spam-filtering company Brightmail Inc. and frequent e-mailer Amazon.com are also at it, each planning to test one or more systems.

All these competing proposals are enough to get the Internet's standards-setting bodies in a lather.

One of them, the Internet Engineering Task Force, has scheduled a session on authentication next Thursday in South Korea. Experts predict some combination of the techniques will be ready for use later this year, though formal standards will take longer.

There's much work to be done in the meantime, including proving the systems can actually work beyond controlled, laboratory environments.

Caller ID and SPF, at least, are likely to disrupt mail-forwarding services that colleges and companies offer to let alumni and subscribers route e-mail through a domain name other than their own service provider's.

They also could break "send to a friend" features in which someone clicks on a Web link to pass an interesting item to someone else.

Issues to be worked out for all three systems include how to properly send e-mail from cybercafes, hotels and public Wi-Fi hotspots and how to preserve privacy when using anonymous re-mailers, which are used by whistleblowers and others to intentionally mask the origin of messages.

"A lot of people have said that e-mail today is broken, and now we're going to break it a little more," Meng Weng Wong, lead developer of SPF, acknowledged. "Some of the things people are used to doing, they won't be able to do it in quite the same way."

But the gain in fighting spam outweighs any pain from change, Wong argues.

Authentication also can help limit the spread of e-mail viruses and, with Caller ID and DomainKeys, help flag fraudulent "phishing" messages that try to trick people into revealing passwords and credit card information.

The proposals require no changes to existing protocols for e-mail or the domain name system, and developers of all three pledge to eventually seek standards status (Wong has already submitted SPF for review).

For now, the three can coexist, although adoption could be limited until a consensus emerges around one or a combination.

But these solutions alone will not stop spammers.

Systems will have to be established to evaluate the reputation of domains that relay e-mail, and that raises questions about who would develop such lists and who would arbitrate disputes.

In the short term, authentication will be useful mostly for verifying newsletters and other bulk mailings that are often misidentified as spam today, said Margaret Olson, co-chairman of the Email Service Provider Coalition's technology committee.

Once enough service and software providers adopt the technology, "getting unauthenticated mail delivered will be extremely difficult," she said.

And that could hurt e-mailers in other countries where adoption of English-language specifications tend to lag, and smaller service providers may be forced to accept whatever the giants decide, critics warn.

At EarthLink Inc., which is experimenting with authentication, chief architect Robert Sanders said no service provider wants to suddenly stop e-mail from non-participants.

But he likened the technology to telephone's caller ID: "You may still get a phone call with caller ID, but you may not choose to answer it."

Copyright 2004 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.